Iranian Cyber Army, The Offensive Arm of Iran’s Cyber Force

Part 2 of the Iranian Cyber Threat Blog Series

The Iran Revolutionary guard first proposed the establishment of the Iranian Cyber Army (ICA) in 2005, but its implementation was accelerated as media attacks against the Ahmadineajd administration grew following his government’s mismanagement of the country across all fields. The group experienced a considerable expansion in the early years of the Ahmadinejad administration. The ICA human resources department would find professional hackers, and blackmail them into cooperating with the group. Hackers would also be threatened with imprisonment if they refused to join.

Iran has seen a number of well-known hacker groups since the Internet was first introduced to the public in 2000. The most famous groups were:

Ashiyaneh

Shabgard

Simorgh.

Due to lack of firm cybercrime laws in Iran, these groups could easily attack websites either for gaining recognition or simply as competition amongst themselves. As attacks by these groups against the government targets increased, IRGC officials became interested in the power of hacker groups and in controlling them for their own interests. The intelligence bodies of government gathered many hacker groups and cooperation began with the hackers in order to confront government opposition.

In parallel, with the activities of the hacker groups, private companies were set up to find and employ professional hackers, used to teach hacking methods to security forces. These companies were responsible for instructing hackers and accomplishing Iranian Cyber Army projects. They are also involved in importing military technology for the Iranian armed forces.

Increase in Cyber Capabilities

Due to the ICA’s project, Iran’s cyber capabilities increased dramatically in a short number of years. Over the past four years, Iran’s offensive cyber capabilities have continued to evolve and mature. The ICA began to make its presence known in late 2009, after evidence of the Stuxnet virus began to surface in Iranian nuclear facilities damaging over 1000 of Iranian centrifuge and delaying the Iranian atomic program by years. In response to these attacks, Iranian officials have focused on cyberspace as a primary flashpoint in their regime’s unfolding confrontation with the West.

In 2009, Defense Tech, one of the American security and military institutes included Iran among the top five in its list of the most powerful countries in terms of cyber force. This institute had also stated that the ICA was a subdivision of IRGC cyber team with an annual budget of 76 million dollars and over a billion dollar investment in infrastructure so far. Iranian officials claim to possess the “fourth largest” cyber force in the world after U.S, China and Russia.

Additionally, the Iranian Cyber Army enjoys access to the large pool of talented hackers. In December 2011, Eric Schmidt, the executive chairman of Google commented in an interview with CNN on Iran’s activities in cyberspace and said that the Iranians have succeeded in taking over the information traffic on the Internet through intelligent hacking. According to him, Iranian hackers had succeeded in diverting the flow of information in Denmark towards Iran and then returning it back to Denmark. He concluded that, “Iranians are unusually talented in cyber war for some reason we don’t fully understand.”

The ICA’s Major Attacks

Attack on Voice of America

On February 2011, the Iranian Cyber Army launched an attack against the Voice of America’s web site. The board for VOA said cyber hackers hacked into Voice of America’s primary domain name (VOANews.com), and then redirected visitors to another web site claiming to be run by the “Iranian Cyber Army.” Numerous related domains registered with Network Solutions were also hacked into, and web visitors were also redirected to the web site supposedly run by the “Iranian Cyber Army.”

DigiNotar, Dutch Web Security Firm

In 2011, the ICA reportedly hacked into 500 Internet security certificates and then used them to hit around 300,000 Iranian Internet users. According to the Dutch government, attackers stole the certificates from DigiNotar, a Dutch Web security firm. The Dutch Justice Ministry published a list of the users of fake certificates that were sent to sites operated by Yahoo, Facebook, Microsoft, Skype, AOL, the Tor Project, WordPress, and by intelligence agencies such as Israel’s Mossad and Britain’s MI6. The lost certificates eventually led to the DigiNotar Company going out of business only a few months following the incident.

Twitter Under Attack

On December 17, 2011, when Twitter became inaccessible in some countries, users were redirected to an English webpage, which contained the following message:

Iranian Cyber Army

“THIS SITE HAS BEEN HACKED BY IRANIAN CYBER ARMYiRANiAN.CYBER.ARMY@GMAIL.COM . U.S.A. Think They Controlling And Managing Internet By Their Access, But THey Don’t, We Control And Manage Internet By Our Power, So Do Not Try To Stimulation Iranian Peoples To….NOW WHICH COUNTRY IN EMBARGO LIST? IRAN? USA? WE PUSH THEM IN EMBARGO LIST Take Care.”

U.S Financial Institutions Attacks

On September 2012, the U.S. banks’ websites, which were the targets of Iranian distributed denial of service attacks (DDOS), were severely disrupted in their ability to provide the banks’ customers any service. In short the DDOS attacks have made it very difficult to do any sort of online banking for the banks affected by the attacks. Bank of America, Citigroup, JP Morgan & Chase, and Wells Fargo, which constitute all of the biggest banks in America, were among the victims. Many believe that these attacks were in retaliation for sanctions imposed on Iran by the United States and its allies.

Arab Energy Firms

In September 2012, at the same time that U.S financial institutions were under attack, the so-called “Shamoon Virus” also besieged Arab energy firms in multiple Arab states allied with America. Saudi Arabia’s ARAMCO was hit. Leon Panetta the Secretary of Defense at the time told reporters “This was the most destructive attack the business sector has seen to date.” Panetta went so far as to say that these cyber-attacks constitute a “Cyber Pearl Harbor” in terms of the suddenness and destructive nature of the attacks. More than 30,000 computers in ARAMCO’s network were affected by the virus and had to be replaced due to the devastating effect of the virus.

Attack on Israel

On June 2013, Benjamin Netanyahu told a conference on cyber warfare in his country’s commercial hub that Israel’s computer systems are subject to non-stop cyber-attacks from Iran.

Netanyahu didn’t give any indication of the number of attacks; however, he claimed that critical infrastructure, including that in the power, water and banking sectors, have all come under fire. He continued to say, “In the past few months, we have identified a significant increase in the scope of cyber-attacks on Israel by Iran. These attacks are carried out directly by Iran and through its proxies, Hamas and Hezbollah.” Iran has significantly increased its attacks on Israel’s infrastructure as retaliation for the Stuxnet virus in 2009, which is believed to be developed by Israel and United States which infected country’s nuclear facilities.